Overview of Container Scan Results

Modified on Fri, 6 Sep at 2:26 PM

Scan with start 



Once online scans finishes we get the result like following




Above picture shows that we scanned a project named “python” which has Container scans. Let’s dive into that.


Understanding the results:  


Here, 


“C” - number of Critical severe vulnerabilities found in SAST scan

“H” -  number of Hard severe vulnerabilities found in SAST scan

“M” -  number of Medium severe vulnerabilities found in SAST scan

“L” -  number of Low severe vulnerabilities found in SAST scan



Step 2 : Click on row with title “Container” and you will see screen like this :


Which will contain the following information about your SAST scan


1) Project Scanned

          Name of our current project. In this case python

2) Snapshot Scan Time

        When scan was performed, on which date and at what time

3)  Api key owner

         Which user performed this scan? We show their email address



Search Bar : 


    Users can search vulnerabilities by giving input in this search bar.




Filters on left side : 


                  

                                     


You can apply filters through the left filter bar. The filter bar includes:


  • SEVERITY: Enables filtering of vulnerabilities based on their severity levels such as Critical, High, Medium, or Low,  or Exploitability allowing you to prioritize remediation efforts.

  • In Allowed List: This filter shows only those vulnerabilities that have been added to the allowed list, facilitating quick review of previously acknowledged issues.

  • New Vulnerabilities: Filters the vulnerabilities based on their discovery date, helping to isolate recent issues that need immediate attention.

  • Show Files: This filter allows you to choose the files which “Excluded” or “Not Excluded”.



Vulnerability card : 




Three Dots Menu: A clickable icon represented by three dots on the card. Clicking this brings up a menu with several options for managing the vulnerability:


  • Add to Allowed List: Allows you to temporarily include the vulnerability in your allowed list, acknowledging it but deciding it does not require immediate action.

  • Mark as False Positive: If you determine that the reported vulnerability is not a genuine threat, you can label it as a false positive for a certain duration.

  • Overwrite Severity: Provides the capability to adjust the severity rating of a vulnerability, based on your assessment.

  • Create Jira Ticket: This enables you to create a Jira ticket directly from the vulnerability card. This feature allows you to set up a ticket that describes the vulnerability and assigns it for remediation within your development workflow. 

  • Add Comment: Offers a space to add notes or comments regarding the vulnerability, which can be useful for team communications or future reviews.


Options like, “Add to Allowed List” and “Mark as False Positive” further provide various timeline options allowing you to set the duration of these settings:

  • Mark for a Day: Apply the setting for 24 hours.

  • Mark for a Week: Extend the setting for one week.

  • Mark for a Month: Keep the setting for one month.

  • Mark for a Year: Maintain the setting for a full year.

  • Mark Forever: Indefinitely apply the setting until changed.

  • Select Custom Date: This choice opens a popup where you can select an exact date for the setting to expire, offering precise control over the duration.


Manage vulnerabilities in Cluster


For more efficient vulnerability management, our interface allows users to apply settings to multiple vulnerabilities simultaneously. This feature is especially useful when you need to quickly classify several issues as false positives or add them to the allowed list without adjusting each one individually.


  • Select Vulnerabilities: At the top left of each vulnerability card, there is a checkbox. Click these checkboxes to select the vulnerabilities you wish to manage together.



  • Apply Cluster Actions: After making your selections, two options will appear next to the count of selected vulnerabilities at the top of the list:

    • Set as False Positive: This action enables you to collectively mark all selected vulnerabilities as false positives.

    • Add to Allowed List: This allows you to add all chosen vulnerabilities to the allowed list simultaneously.


Managing vulnerabilities in groups saves time, reduces mistakes, and keeps your project’s security handling consistent and straightforward.



View Dependencies


Click on “dependencies” to view vulnerable dependencies in that project

 


View Licenses


Click on “OSS Licenses” to view licenses : 



View Remediation


Click on “Remediation” to view remediation :  



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article